Professional Documents
Culture Documents
Outline
• Message Digests
• Message Authentication and Digital Signatures
• Non-repudiation
• Certificates
• Certificate Validation
1
Information Security
Message Digests
• Public key technology is very slow
• public-key encryption
– use public-key encryption to send a secret key with
confidentiality
– actual traffic is encrypted using secret key
• Public-key digital signatures
– cannot sign big messages
Original message,no limit to size Message digest Message digest 128 bit/160 bit
Algorithm
Hard
2
Easy
Information Security
Message Digest
For performance reasons, sign the message digest but
not the message
also known as message authentication codes
One way hash functions: H(M) = m
– H is the one-way function
– easy to compute but difficult to invert
– m = H(M) is easy to compute
– M = H-1(m) is hard to compute
– M is a long message (say 1 megabyte)
– m is a short (say 128 bit) digest
authenticity of a message can be checked by computing
H(M) = m, and comparing with the transmitted m
this requires that the digest m be either
– transmitted over a more secure channel than M, e.g., M is a disk
transmitted by mail, m is transmitted via phone, or
3
– m be digitally signed which may be easier than signing M
Information Security
4
Information Security
5
Information Security
6
Information Security
Desired Characteristics
• Weak hash function
– difficult to find M' such that H(M') = H(M)
– given M and m = H(M) try messages at random to find M' with H(M') = m
– 2k trials on average, k= 64 is considered to be safe
• Strong hash function
– difficult to find any two M1 and M2 such that H(M1) = H(M2)
– try pairs of messages at random to find M1 and M2 such that H(M1) = H(M2)
– 2k/2 trials on average, k=128 to be safe
– k = 160 is better
– for a n bit digest birthday attack will allow M1, M2 to be found in 2n/2
operations
– (if there are >= 23 people, the chance of two of them have the same birthday is
>50%)
7
Information Security
Message Digests
• MD5
– proposed by Ron Rivest (of RSA)
– 128 bit digest
– simple, compact and fast
• NIST SHA
(https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpub
lication800-107r1.pdf)
– SHA-1, SHA224, SHA256, SHA384, SHA512, SHA512/224, SHA512/256
8
Information Security
Digital signatures
Insecure Channel
Encrypted MD + plaintext
9
Information Security
Insecure Channel
Plain Text + signature
Verification Yes/No
A
Plain Text Signature
Algorithm Algorithm B
K K
Signature = MD of (plaintext + K)
11
Information Security
Non-Repudiation
In general, non-repudiation requires a notarized
signature, involving a third party in addition to A and
B
In large systems this can involve hierarchies of
notarization
12
Information Security
Outline
• Message Digests
• Message Authentication and Digital Signatures
• Non-repudiation
• Certificates
• Certificate Validation
13
Information Security
Public-key certificates
• Binding of public key to an individual or entity
• public-key encryption
– sender needs the public key of the receiver
• public-key digital signatures
– receiver needs the public key of the sender
• public-key agreement
– both need each other’s public keys
• Reliable distribution of public-keys is critical
– otherwise, an intruder can substitute a different public key resulting
in disclosing of encrypted contents to unintended parties
• Easier for small groups of cooperating parties
• A public-key certificate system where a certification
authority issue certificates for the holders of key pairs
14
Information Security
X.509 certificate
• Comprises of • Example
– version – 0
– serial number – 1234566679079950956
– signature algorithm ID – RSA+MD5,512
– issuer name – c=us,s=nj,o=rutgers,ou=msis
– validity period – 1/1/2010-1/1/2022
– subject (user) name – c=us,s=nj,o=rutgers,cn=Vijay Atluri
– subject public-key information – RSA,1024,XXXXXXXXX
– signature on the above fields – signature
16
Information Security
Certificate Trust
• The primary benefits of the certificate system
– one can reliably obtain a large number of parties starting with the knowledge
of one party’s public-key
– scalability
• how to acquire public key of the issuer to verify signature
• whether or not to trust certificates signed by the issuer for this
subject
17
Information Security
18
Information Security
Certification Paths
• One certificate authority to issue certificates for all!!
– Key distribution problem is solved
– is it feasible?
• Need multiple certification authorities
• not practical for a public-key user to have the public-keys of
all CAs
• the certificate paradigm can be applied recursively to obtain
the public keys of a progressively larger number of CAs
– called certificate chain or certificate path
19
Information Security
Certificate path
20
Information Security
Legal relationships
• Closed community
– CA and its subscribers are all part of one legal entity
– e.g., subscribers are ATMs, bank is the CA
• open community
– CA is an independent legal entity (third party)
– e.g., commercial CA service provider issues certificates to people who
subscribe
22
Information Security
Subject authentication
• the CA must make sure that the holder of the private key
corresponding to the certified public key is indeed the same
person or entity
• physical presence - a strong confirmation of identity
• identification documents - passport, employee id, driver’s
license
• Local registration authority may be used for approving the
certificate application (but LRA is not a CA, it does not issue
certificates)
23
Information Security
Key management
• Key pair generation
– generation where the private key is held (requirement in the
ANSI X9.57)
– generation at a central system
• Private key protection
– storage in a tamper-resistant hardware module (such as a
smart card)
– storage in an encrypted file within a computer system
24
Information Security
25
Information Security
Signature Keys
• private key: must be private for entire life, may never leave smart
card
– needs to be securely destroyed after lifetime
– no need for backup as protection against accidental loss of key (would conflict
with above)
– no need for archiving (would conflict with above)
– if disclosed even after long time of active use, it may still be used to forge
signatures on old documents
– no need to weaken or escrow due to law
• public key: must be archived possibly for a long time
– to verify old signatures
26
Information Security
Encryption Keys
• private key: backup or archive required for recovery
– should not be destroyed after lifetime
– may be weakened/escrowed due to law
• public key:
– no need to backup RSA or other encryption keys
– need to backup Diffie-Hellman key agreement keys
27
Information Security
28
Information Security
X.509 Certificates
• X.509 version1 (1988)
– very basic
• X.509 version2 (1993)
– adds unique identifiers to prevent against reuse of X.500 names
• X.509 version3 (1996, revised 1999)
– adds many extensions
– can be further extended
29
Information Security
30
Information Security
31
Information Security
Directory Services
• Certificate distribution can be done via a directory
service
• X.500 - the ISO standard
• LDAP (Lightweight directory access protocol) has a
standard protocol for accessing information in the
directory service public key certificates
• proprietary directory services - Microsoft exchange
directory, Novell’s Netware directory, Lotus Notes
directory
32
Information Security
Name Structure
33
Information Security
34
Information Security
35
Information Security
36
Information Security
37
Information Security
38
Information Security
39
Information Security
40
Information Security
42
Information Security
General Extensions
• CRL Number (incrementing sequence number)
• Reason Code
– Key Compromise
– CA Compromise
– Affiliation changed
– Superseded
– Cessation of operation
– Remove from CRL: defer till Delta-CRL
– Certificate hold: defer
• Invalidity Date
43
Information Security
44
Information Security
Delta-CRLs
• Delta CRL indicator
– only carries changes from previous CRL
– If clients have secure storage facilities, then there is no need to download the
base CRL all the time.
• Remove from CRL reason code causes purge from base CRL (stored
at certificate user)
– removal due to expiry of validity period or restoration of suspension
45
Information Security
Indirect-CRL
• CRL can be issued by a different CA than the issuer of certificate
– allows all compromise revocations to be one list
– allows all CA revocations to be on one list (simplify certificate chasing)
– extension field: certificate issuers
46
Information Security
Certificate Suspension
• Certificate hold reason code in CRL
• Supporting CRL entry extension
– Instruction code: instructions on what to do with held certificate
• call CA, repossess token
47
Information Security
48
Information Security
49
Information Security
50
Information Security
51
Information Security
Forest of Hierarchies
52
Information Security
SET PKI
53
Information Security
MISSI PKI
54
• MISSI: Multi-level Information System Security Initiative
Information Security
Outline
• Message Digests
• Message Authentication and Digital Signatures
• Non-repudiation
• Certificates
• Certificate Validation
55
Information Security
Why Validation?
56
Information Security
Certificate Validation
57
Information Security
Validation Protocols
• The Problem
– Find Marty Yam’s Phone Number
1. CRLs (Certificate Revocation List)
– Call an operator for Marty’s phone number, get back the whole
phone book
2. CRLDPs (CRL distribution points)
– Call an operator for Marty’s phone number, get back only the
pages dealing with “Y”
3. OCSP (on-line certificate status protocol)
– Call an operator for Marty’s phone number, get back his
number from an operator
4. SCVP (simple certificate validation protocol)
– Call an operator and get automatically connected to his phone
58
Information Security
59
Information Security
CRL CRL
CA CA
System/CRL System/CRL
Sever Sever
60
Information Security
CRLs - Advantages
+ Ability to Cache
+ Easy to manage for small numbers
+ Works with all issued certificates
+ Industry standard
61
Information Security
CRLs -Disadvantages
- Size -- Storage,
- Huge bandwidth all the way to the clients
- Unscalable
- Does not scale past 10,000 users for large number of clients
- Requirement to Cache
- does not provide real-time certificate status information
- since issued on a periodic basis
- Painful to Find CRLs from online directories for end-user
applications,
- especially if certificate chains are involved and CRLs are required to be
fetched from different locations
- do not provide a positive response regarding a “particular”
certificate being "good"
62
Information Security
CRL - Applications
• Ideal for deployment
– small user base (a company with several thousand employees)
• Simple applications
– use ID cards to access a building
– use smart cards to log onto their computers
63
Information Security
64
Information Security
65
Information Security
3. OCSP
• An “online” mechanism
• Simple Client-Server model
66
Information Security
OCSP Model
OCSP OCSP
Validation Validation
Server Server
(Secure) (Secure)
67
Information Security
68
Information Security
69
Information Security
70
Information Security
OCSP- Applications
• works well for deployments
– with tens of thousands of users
– in close proximity to one another
• Example:
– a university with a single large campus
• could issue smartcards to all its students that allow them access to
dormitories, libraries, and campus-wide computer networks
71
Information Security
72
Information Security
D-OCSP - Applications
• works well for deployments
– anywhere from several thousand to hundreds of millions of users
• Example:
– A government agency with a number of centers of operation scattered
throughout the world
• issues smart cards that allow access to a networked fileserver containing
sensitive information, or
• allow entry to field offices
73
Information Security
4. SCVP
• allows a client to delegate certificate path construction
and certificate path validation to a server
• The path construction or validation (e.g. making sure
that none of the certificates in the path are revoked)
is performed according to a validation policy, which
contains one or more trust anchors
• It allows simplification of client implementations and
use of a set of predefined validation policies.
• Simplify the Relying Party
• Enable Widespread Use of PKI
• Allow for Centralized Certificate Policy Management
74
Information Security
4. SCVP
• When a SCVP Client wants to obtain a certification
path, validate a public key certificate or both
simultaneously
– it must send a SCVP Validation Request (SCVPRequest)
message to a capable SCVP entity (server)
– SCVP server builds and returns the certification path to the
client, to validate the certificate presented by the client or both
– SCVP server must respond to the client a SCVP Validation
Response (SCVPResponse) message which contains the new
certificate path and/or the certificate status.
75
Information Security
76
Information Security
SCVP Advantages
• Simplify Client
• Enable Faster PKI Integration
• Reduce Client Implementation Flaws
– Keep them simple
• Centralized Control Over Trust
• Ability to Support Complex Certificate Hierarchies
• Centralized Certificate Policy Management
77
Information Security
SCVP Disadvantages
• Place a lot of “Power” in the SCVP Server
– SCVP Server is a Single Point of Attack
• Server is Complicated
78
Information Security
Resources
• PKIX
– Public Key Infrastructure (X.509) (RFC 6818 – Jan 2013)
– http://www.rfc-editor.org/rfc/rfc6818.txt
• CRL
– Certificate Revocation Lists (RFC 6818 – Jan 2013)
• CRLDP
– Certificate Revocation Lists - Distribution Points (RFC 6818 – Jan 2013)
• OCSP
– Online Certificate Status Protocol (RFC 6960 – June 2013)
http://tools.ietf.org/html/rfc6960
• SCVP
– Simple Certificate Validation Protocol (RFC 5055 – Dec 2007)
– https://tools.ietf.org/html/rfc5055
80
Information Security
Browser capabilities
• All major browsers do some form of revocation checking, that
includes Opera, Safari, Chrome, Firefox and Microsoft Edge.
• Internet Explorer starting with version 7 on Windows Vista (not
XP) supports OCSP checking
• All versions of Mozilla Firefox support OCSP checking. Firefox 3
enables OCSP checking by default
• Safari on Mac OS X supports OCSP checking. It is enabled by
default as of Mac OS X 10.7 (Lion). Prior to that, it has to be
manually activated in Keychain preferences
• Versions of Opera from 8.0 to the current version support OCSP
checking
• Google Chrome disabled OCSP checks by default in 2012, citing
latency and privacy issues
– uses its own update mechanism to send revoked certificates to the browser
• No Browser implements SCVP
81
Information Security
Browser capabilities
• When a user visits a website protected with SSL, it
validates the certificate the web server presents
– important because you need to know if the server you are talking to
really is who they say they are before you start to trust them – that’s
why when browsers do OCSP and CRLs they do this validation before
they download the content from the web page.
– This means that your content won’t be displayed to the user until
this check happens and this can take quite a while.
• For example in the case of Microsoft Edge and Chrome
(when it does standards based revocation checking on
Windows) it uses CryptoAPI which will time-out after 15
seconds of attempting to check the status of a certificate.
– The scary part is that calls to this API do actually time out and when
they do this delay is experienced by the users of your website!
82
Information Security
Browser capabilities
• So what can you do about it?
– It’s simple really you have to be mindful of the operational capacity and
performance of the certificate authority you get your certificate from.
• GlobalSign Inc.
– consistently outperforms every other CA for the performance of their
revocation infrastructure in most cases it’s nearly 6x as fast and in
others is much more than that.
• Also, today the default behavior of browsers when checking
the status of a certificate via OCSP or CRLs is “soft-revocation
failure”.
– This basically means that if they fail for any reason to check the status
of a certificate (usually due to performance or reliability issues) they will
treat the certificate as good anyways. This is an artifact of CAs not
operating sufficiently performant and reliable infrastructure to allow the
browsers to treat network related failures critically.
83
Information Security
Browser capabilities
• Each of these browsers all have options you can use to
enable “hard” or “strict” revocation checking but until
the top CAs operate infrastructure that meets the
performance and reliability requirements of the
modern web no browser will make these the default.
• It is also important to understand that even with this
“soft-failure” your website experiences the
performance cost of doing these checks.
84
Information Security
Google Chrome
• Google does revocation checking through a
proprietary mechanism called CRLsets.
– CRLsets are basically a combination of CRLs, Google crawls the
web gathers CRLs and merges them together into a “mega-
crl”.
– This mega-crl is formatted differently than other CRLs but it’s
essentially the same thing
– but there are some important differences
• due to size concerns, Google selectively chooses which CAs it
includes in the CRL set and within those CRLs which revoked
certificates to include.
– Google introduce this new mechanism that is not as
comprehensive as the standard based ways to deal with
revocation checking for performance and reliability.
85
Information Security
Google Chrome
– With CRLsets Google ensures quick delivery of the revocation list because
they can intelligently pick which revoked certificates are important
– This has implications for users, Chrome trusts certificate authorities for which
it has no revocation information for it also intentionally treats some revoked
certificates as good which exposes you to some risk.
• This is problematic for enterprises that use Chrome and leverage
PKI
– there is essentially no chance Google will decide to include your CRL.
– This is also problematic for those who encounter certificates from those CAs.
• But what do you do if you want a more holistic solution to
revocation checking?
– You can turn on the standards based revocation checking mechanisms and
Chrome will use them in addition to the CRLset,
– go to Settings and expand choose Advanced Settings
– re-enable the standards based revocation checking mechanisms
– then chrome can do a more holistic job protecting you from the known bad
actors on the internet.
86